1 / 17

Cryptography: on the Hope for Privacy in a Digital World

Cryptography: on the Hope for Privacy in a Digital World. Omer Reingold VVeizmann. So, is there Hope for Privacy? . No! Privacy is doomed! Enjoy your sandwiches … : Is this what we invited you for?

eve
Download Presentation

Cryptography: on the Hope for Privacy in a Digital World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann

  2. So, is there Hope for Privacy? • No! Privacy is doomed! Enjoy your sandwiches … : Is this what we invited you for? • On second thought, the digital world gives new hope for privacy! • Selling digital goods (w/ Bill Aiello and Yuval Ishai) • Keyword database search (w/ Mike Freedman, Yuval Ishai, and Benny Pinkas)

  3. Day to Day Breaches of Privacy • When/how can it be better?

  4. And Betty, when you call me,you can call me Al! I can call you Betty, Alice Call me Al ...... Bob Anonymity? Not in this Talk!

  5. Selling Digital Goods • How good are digital goods? • Entertainment: TV, music, video, books, software • Business: news, stock quotes, patents, layoff rumors • Research: papers, research databases, clip-art • What’s special about digital goods? • Typically of unlimited supply (easy to duplicate). • Easy to communicate and manipulate • Main goal: protect the privacy of clients • What • When • How much • (But not who)

  6. ‘ ’, Vendor Buyer Key of Example Encrypted Individually

  7. X1 X2 X3 X4 … Xn Oblivious Transfer (OT) [R], 1-out-of-N [EGL]: • Input: • Vendor: x1,x2,…,xn • Buyer: 1 ≤ j ≤ n • Output: • Vendor: nothing • Buyer: xj • Privacy: • Vendor: learns nothing about j • Buyer: learns nothing about xi for i ≠ j • 4 • Not necessarily two messages • Related notions: Private Information Retrievable [CGKS] / Symmetrically- Private Information Retrievable [GIKM] j Xj

  8. Prices:p1,p2 ,…pn p0=0, Items:k1,k2, …kn k0, i Vendor Buyer ki b← b - pi Priced OT [AIR] Vendor Buyer Initial payment$ b0 Set b=b0

  9. Buyer Vendor Comparison with E-cash [Cha85,CFN88,...] E-cashPriced OT Payment digital any Goods any digital Hides who what + Access to goods anonymous any

  10. General Perspective • Priced OT is an instance of secure two-party computation. • Theoretical plausibility result are known [Yao,GMW]. • However:General solutions are costly (computation, bandwidth, rounds). • A major endeavor in cryptography: Identifying interesting specific problems and suggesting more efficientsolutions.

  11. Tool: Homomorphic Encryption • Plaintexts from (G,+) • E(a),E(b)  E(a+b) • E(a),c  E(c·a) • |G| large prime • Can use either additive G=ZP or multiplicative GZ*P • In particular, can use El-Gamal.

  12. Conditional Disclosure of Secrets [GIKM,AIR] E(q),pk Buyer Vendor (sk,pk) a E(CDS( a; V(q) )) E(a) • Honest Buyer: V(q) = True • How to protect against a malicious Buyer? • Method 1: Buyer proves in ZK that V(q) = True; • Method 2: Vendor discloseasubject to the conditionV(q) = True. • Notation: CDS( a; V(q) )

  13. Conditional Disclosure of Secrets - Implementation E(q),pk Buyer Vendor (sk,pk) a E(CDS( a; V(q) )) a,q,iG CDS(a ; q=i) : a+r(q-i)r R{1,…,|G|} E is homomorphic - E(CDS( a ; V(q) )) can be computed from E(q) • Information-theoretic security for Vendor (hides a). • Need to verify “validity” of pk; Easy for El-Gamal!

  14. Buyer Vendor E(q),pk q x1 x2 xn (sk,pk) E(CDS(x1 ; q =1)), … , E(CDS(xn ; q =n)) Application: 1-Round OT* [AIR,NP] • * Weakened / incomparable notion of security vs. simulation: • Vendor’s security: purely information-theoretic • Buyer’s security: privacy only.

  15. Database Search • OT/PIR/SPIR allow to privately retrieve the ith entry of a database. Efficiency depends linearly (at least) on the size of the database. • Sometime this is not enough. For example, consider a list of fraudulent card numbers. A merchant wants to check if a particular number is in the least. • Use OT/PIR? • Table of 1016 ≈ 253 entries, 1 if fraudulent, 0 otherwise? • Works on supporting more general database search.

  16. (x1,p1) (x2,p2) … (xn,pn ) Server: Client: w Client output: (xj ,pj ) iff w=xj Keyword Search (KS): definition • Input: • Server: database X={ (xi,pi ) } , 1 ≤ i ≤ N • xiis a keyword(e.g. number of a corrupt card) • pi is the payload(e.g. why card is corrupt) • Client:search wordw(e.g. credit card number) • Output: • Server: nothing • Client: • piif  i : xi = w • otherwise nothing

  17. Conclusions • Our expectation of privacy in the “digital world” should not be bounded to our “physical world” experiences. • The ability to duplicate, manipulate and communicate digital information is key. • Very powerful cryptographic tool in the form of secure function evaluation. • Research on efficient instantiations, possibly with some security relaxations.

More Related